FRAMEWORK FOR FINE-GRAIN ACCESS CONTROL FROM HIGH-LEVEL APPLICATION PERMISSIONS

US 20150150119A1
Filed: 10/20/2014
Published: 05/28/2015
Est. Priority Date: 11/27/2013
Status: Abandoned Application

First Claim

Patent Images

1. A method for access control of an application feature to resources on a mobile computing device comprising the steps of:

preparing an application for installation on the mobile computing device via a processor;

identifying an application permission associated with the application, the application permission relating to access of resources of the mobile computing device;

determining restrictions associated with the application permission;

defining a set of mandatory access control rules for the application permission based on the restrictions;

combining the set of mandatory access control rules and the application permission in a loadable mandatory access control policy module; and

storing the loadable mandatory access control policy module in a memory of the mobile computing device, the loadable mandatory access control policy module capable of being enforced by an operating system of the mobile computing device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for access control of an application feature to resources on a mobile computing device. An application is prepared for installation on the mobile computing device via a processor. An application permission associated with the application is identified. The application permission relates to access of resources of the mobile computing device. Restrictions associated with the application permission are determined. A set of mandatory access control rules are defined for the application permission based on the restrictions. The set of mandatory access control rules and the application permission are combined in a loadable mandatory access control policy module. The loadable mandatory access control policy module is stored in a memory of the mobile computing device, the loadable mandatory access control policy module capable of being enforced by an operating system of the mobile computing device.

13 Citations

View as Search Results

22 Claims

1. A method for access control of an application feature to resources on a mobile computing device comprising the steps of:
- preparing an application for installation on the mobile computing device via a processor;
  
  identifying an application permission associated with the application, the application permission relating to access of resources of the mobile computing device;
  
  determining restrictions associated with the application permission;
  
  defining a set of mandatory access control rules for the application permission based on the restrictions;
  
  combining the set of mandatory access control rules and the application permission in a loadable mandatory access control policy module; and
  
  storing the loadable mandatory access control policy module in a memory of the mobile computing device, the loadable mandatory access control policy module capable of being enforced by an operating system of the mobile computing device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The method of claim 1 wherein a manifest file maps the application permission to the set of mandatory access control rules.
  - 3. The method of claim 2 wherein the manifest file enumerates the application permission requested by the application.
  - 4. The method of claim 3 wherein the permission in the manifest file is mapped to the set of mandatory access control rules providing authorization rules for accessing the mobile computing device resources.
  - 5. The method of claim 4 wherein the mandatory access control rules define access to a respective socket.
  - 6. The method of claim 5 wherein the mandatory access control rules define an operation allowed on the respective socket.
  - 7. The method of claim 4 wherein the mandatory access control rules define access to a respective port.
  - 8. The method of claim 7 wherein the mandatory access control rules define sending capabilities through the respective port.
  - 9. The method of claim 7 wherein the mandatory access control rules define receiving capabilities through the respective port.
  - 10. The method of claim 1 wherein the mandatory access control rules are generated as SELinux mandatory access control rules.
  - 11. The method of claim 1 wherein the policy module is generated as a SELinux policy.
  - 12. The method of claim 1 wherein the policy module, mandatory access control rules, and the mapping are obtained as inputs during offline processing.
  - 13. The method of claim 1 wherein during online processing, a processor scans a manifest file containing the permission that the application is requesting.
  - 14. The method of claim 1 wherein a processor converts the permission in the file to the set of mandatory access control rules.
  - 15. The method of claim 1 wherein the loadable policy module is generated as a SELinux policy module.
  - 16. The method of claim 1 wherein a sandboxing framework is utilized for preventing the application from accessing resources of the mobile computing device, wherein the sandbox framework functions as a proxy between the requesting application and the device resources.
  - 17. The method of claim 16 wherein the proxy provides access to a virtual copy of a system file of the mobile device, wherein selective access is only allowed to the virtual copy of the system file thereby preventing access to the system file of the mobile device.
  - 18. The method of claim 16 wherein the sandbox framework functions as the proxy between the requesting application and an operating system controlling the resource.
  - 19. The method of claim 16 wherein the sandbox enforces the mandatory access control policy module.

20. A method for installing access control on a mobile computing device comprising:
- establishing a communication between a mobile computing device and an application distribution entity, the application distribution entity configured to transmit an application to the mobile computing device upon a request by the mobile computing device;
  
  sending a request by the mobile computing device to the application entity for downloading the application;
  
  identifying application permissions associated with the application, the application permission relating to access resources of the mobile computing device;
  
  determining restrictions associated with the application permission;
  
  defining a set of mandatory access control rules for the application permission; and
  
  combining the set of mandatory access control rules and the application permission in a loadable mandatory access control policy module.
- View Dependent Claims (21, 22)
- - 21. The method of claim 20 wherein a sandboxing framework is utilized for preventing the application from accessing resources of the mobile computing device, wherein the sandbox framework functions as a proxy between the requesting application and the device resources, wherein the proxy provides access to virtual copies of resources of the mobile device, wherein access is only allowed to the virtual copy of the resources thereby preventing access to the resources of the mobile device.
  - 22. The method of claim 20 wherein the application feature is granted access during enablement of the application if authorized by the mandatory access control rules associated with the permission.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
GM Global Technology Operations LLC (General Motors Company)
Original Assignee
GM Global Technology Operations LLC (General Motors Company)
Inventors
HOLLAND, GAVIN D., EL DEFRAWY, KARIM, NOGIN, ALEKSEY

Application Number

US14/518,020
Publication Number

US 20150150119A1
Time in Patent Office

Days
Field of Search
US Class Current

726/17
CPC Class Codes

G06F 21/604   Tools and structures for ma...

G06F 21/629   to features or functions of...

G06F 2221/2113   Multi-level security, e.g. ...

FRAMEWORK FOR FINE-GRAIN ACCESS CONTROL FROM HIGH-LEVEL APPLICATION PERMISSIONS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

13 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

FRAMEWORK FOR FINE-GRAIN ACCESS CONTROL FROM HIGH-LEVEL APPLICATION PERMISSIONS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

13 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links